Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp396578pxf; Thu, 11 Mar 2021 06:34:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJwkJyAtZ8NPE3ifvu/JijRJ7eSSb+hkBoS8QYzXuoWX8KVRfwSEM8T3wG+dXVa1KGAcyDc+ X-Received: by 2002:a17:906:c051:: with SMTP id bm17mr3293989ejb.21.1615473261299; Thu, 11 Mar 2021 06:34:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615473261; cv=none; d=google.com; s=arc-20160816; b=yuq2CmE6BfPHhT8QfVMTogYNoWx4phlekrrm400Z5WQFbHdLzobvOOKRnS/bN0ZbHG F8i5kllfjwtqHe5LXyeMupC3qbaIHzwepuKWVDyCEnpH4oXq7jE+N/qqR3lJgnJEX2NL 9BjR8GZKpXFkA1CbejCtzBrDS/PGtDhe50WOorl5Jn4sOk++xQaPazgw44t8Etv0rXCV QoDgHpgNmUkqYL35/5fM0R/sQrItlriCttvrrt2G6UNxHZUC2Z3u41mQ18EIvw5SfWPG fmqej7Qllp1iYMZydAdpZLPxXDp39H3RnD9hFbjN6DlEw8GfUWNpVnfXm+4iWRU2YG8E G63w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=mQt7kaRJYFt8oDFazh71/TC2oX7Le0bhMX+W6T/8ZRc=; b=fcJY/VNVtOXX44N9Ry3B295GreEnKeAlrcnyTc5dASCl9pmJsO+uPtc0O7bR0c48Xr LyyUs6Io+6bvoANgUD5PaT6uixGqGiX7qeOrXRAD0LZ/nkS31cdgwl0Vdy8zsv4+nWgp 4exwleYbH7Tj5GAkxih3/NpMwrvaJ7Jv0bVe1JNeT8u5naDf8t/oq4xHmWaUoz+uBPQo ewCXT4Ohey62ST2tT7NFZk+dd2TF4fJasg0KwPAcTZhEeO0OahlxXcleQs3xPgwcMv3v Z+yjHMH6e+c5sFvy79aMUzFffGdqXeSwIY9QS/BfeDqwdrv5wEsUopZkgrhsc6Sx5tuI lK5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aYRrJGJw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si1826236edx.162.2021.03.11.06.33.57; Thu, 11 Mar 2021 06:34:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aYRrJGJw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233917AbhCKOc1 (ORCPT + 99 others); Thu, 11 Mar 2021 09:32:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233583AbhCKOcF (ORCPT ); Thu, 11 Mar 2021 09:32:05 -0500 Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFC09C061574 for ; Thu, 11 Mar 2021 06:32:04 -0800 (PST) Received: by mail-lj1-x234.google.com with SMTP id 184so2406134ljf.9 for ; Thu, 11 Mar 2021 06:32:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mQt7kaRJYFt8oDFazh71/TC2oX7Le0bhMX+W6T/8ZRc=; b=aYRrJGJwGkT4xJi5pCXrM8jcy21L7f+STwO3QoU+Vs9TZ2VLdJ1/7lsqOmCUkWKP8K 35oY0MxUR4SX0mvPIMlpX5OchjTozH1hcgE/WriFMGh22WgRronkhDO6cIfffngc2OtP RdwmnbBtUd/xJkdVrErzAxRNQTZ62OzOvoDjZ9W1kTp/UPxAlurKv6z0yOGnktw+QFkV nAhOOa8TaFQqD6nQHoow5M4xAeVs3r71JihjTCnJfiSwTZirHmxrNHuvMi4bxf9JmlvL hRvrUk663EXap2bpeI2VNyIvCa7wsGvuEIuqjJ2EzNptAWYgpCP3VQWRNWdN95U/uY2V KP7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mQt7kaRJYFt8oDFazh71/TC2oX7Le0bhMX+W6T/8ZRc=; b=ddKIs6Sp2ipnsRgnqxL4InRjlEW/f43RhT44AbpjLKh138lZHpBH7RhDBWraD2IXVm n605le0OmwCftOWsYxButU3LHZysUxk7AZBXyM3b9VaEQgQhZBL5/uDIoq1mGDhcgFcn DtskykchJNuNJeRcQLKNZXLEUtFev79LobLuW7T371+LzNV5zeS3VK7PAmChcl5QMfZ7 ms3xpozxeMmVEk6xphGlPTHXrLz9WFkNc01gAOhvkFRXbRZOf5nAG3B9pNm/fmsfnivs MvNj+/XHJwVq0Sd3+5Z1UVGtTHbcdc6mQSyWvJzobIAQ2WOs+xl79gLcjdzybkWfJvzp gVLw== X-Gm-Message-State: AOAM5339stFaC2Nkr3E1ilwCiqxbWiqNK+TGF3euH497a67N182pOABQ N+43+oczzHwfiNRiMEANImHQx9lEQVdVw8Uov2s5mQ== X-Received: by 2002:a2e:7001:: with SMTP id l1mr4999215ljc.200.1615473123090; Thu, 11 Mar 2021 06:32:03 -0800 (PST) MIME-Version: 1.0 References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> In-Reply-To: From: Linus Walleij Date: Thu, 11 Mar 2021 15:31:49 +0100 Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem To: Hector Martin Cc: Sumit Garg , Arnd Bergmann , "open list:ASYMMETRIC KEYS" , David Howells , Jarkko Sakkinen , Joakim Bech , =?UTF-8?B?QWxleCBCZW5uw6ll?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Marcan, thanks for the detailed description of your experience with the TPM and secure enclave! This is the kind of thinking and experience we really need here because it paints the bigger picture. I am very happy for involving you in this discussion because of your wide perspective on these features. On Thu, Mar 11, 2021 at 10:45 AM Hector Martin wrote: > All of these things make putting keys into TPMs, YubiKeys, the SEP, etc > a useful thing for anyone, regardless of whether their machine is locked > down or not. > > This is not the case for RPMB. RPMB *relies* on the software running on > the other side being trusted. RPMB, alone, provides zero new security > guarantees, without trusted software communicating with it. I kind of agree. My position is more like this: different storage media like eMMC, nvme etc are starting to provide RPMB, so we should provide an interface to it, harden it and test it, such that trusted systems can eventually use them, once they get there. eMMC and NVME already have divergent RPMB userspace interfaces. The code is already there. An in-kernel interface and joining the interfaces is under discussion. ($SUBJECT) Currently engineers are probably concerned with being able to make use of RPMB in their machines for present day TEE use cases, but as community we need to think of a future scenario where we may want to use it, because the abstractions are being added now, it seems. (Otherwise, in the future, someone is going to say: "why didn't you think about that from the beginning?") It's a fine line. Sometimes it becomes just immature up-front design. Luckily we have people like you telling us off ;) > With the MAC key provisioning for RPMB being a one-time process, it is > inherently a very risky operation that a user must commit to with great > care, as they only get one chance, ever. Yes. Current use cases involve that key mostly being set in manufacturing by vendors and accessible to a TEE-like secure world. It fits them. Their expectation is that the secure world is managed by them and tightly connected to the root of trust in the machine. Then we have these random devices which just happen to have some RPMB on them, sitting around for no reason. The software such as a Linux distribution has not figured out a use case. As a developer, dark silicon is disturbing to me so I try to think about a use case. My idea is more like a one-time use seal: the first user of the machine can use this RPMB store to get some hardware backing for rollback, pin attempts etc, but once that user is done with the machine you have no RPMB anymore (unless the user gives the key to the next user). If they just reformat the harddrive and lose the key, the ability to use this hardware is forever gone. Then software will cope with the situation. Such things happen. It is uncomfortable for those of us coming from the world of generic computing to think about hardware resources as one-time-use-only but in other strands of life such as medical needles this is not unheard of, it happens. > RPMB was designed for the sole purpose of plugging the secure storage > replay exploit for Android phones running TrustZone secure monitors. It > doesn't really do anything else; it's just a single low-level primitive > and you need to already have an equivalent design that is only missing > that piece to get anything from it. And its provisioning model assumes a > typical OEM device production pipeline and integration with CPU fusing; > it isn't friendly to Linux hackers messing around with securing LUKS > unlock attempt counters. I understand your argument, is your position such that the nature of the hardware is such that community should leave this hardware alone and not try to make use of RPMB for say ordinary (self-installed) Linux distributions? Yours, Linus Walleij